54 lines
935 B
Plaintext
54 lines
935 B
Plaintext
#include <tunables/global>
|
|
|
|
|
|
profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/python>
|
|
|
|
network inet tcp,
|
|
|
|
deny network raw,
|
|
deny network packet,
|
|
|
|
/usr/bin/python{,3,3.[0-9]} ix,
|
|
/usr/bin/socat cx,
|
|
/usr/bin/gdbus cx,
|
|
|
|
deny /bin/** wl,
|
|
deny /boot/** wl,
|
|
deny /dev/** wl,
|
|
deny /etc/** wl,
|
|
deny /home/** wl,
|
|
deny /lib/** wl,
|
|
deny /mnt/** wl,
|
|
deny /proc/** wl,
|
|
deny /root/** wl,
|
|
deny /sbin/** wl,
|
|
deny /tmp/** wl,
|
|
deny /sys/** wl,
|
|
deny /usr/** wl,
|
|
/** r,
|
|
|
|
/data/** rw,
|
|
/var/run/docker.sock rw,
|
|
|
|
profile /usr/bin/socat {
|
|
#include <abstractions/base>
|
|
|
|
network inet udp,
|
|
network inet tcp,
|
|
|
|
deny network raw,
|
|
deny network packet,
|
|
}
|
|
|
|
profile /usr/bin/gdbus {
|
|
#include <abstractions/base>
|
|
#include <abstractions/dbus>
|
|
|
|
deny network inet,
|
|
|
|
/var/run/dbus/system_bus_socket rw,
|
|
}
|
|
}
|